GPSolo Magazine - January/February 2006

Whose Law Rules the Information Super-Highway?

It’s easy to set up a website. Internet service providers such as Yahoo and AOL host sites and generally provide you with point-and-click access to the tools needed to quickly and easily create a sophisticated e-commerce website.

Despite this ease of creation, dangers abound when you consider the laws that may apply to transactions completed on a new site. It has been said that the Internet knows no borders, and this is true. Once a site is running, it can be accessed from anywhere in the world. This raises many issues that you must consider when advising clients about potential pitfalls and liabilities related to their website. For example, if your client’s site is hosted in Illinois, could she be sued by a California user? Must she comply with the strict privacy laws in effect in the European Union? Does she have a duty to verify that a buyer resides in a location where the item being purchased is legal?

Long-Distance Lawsuits

The bad news: Your client may be subject to litigation brought by users residing in foreign jurisdictions. The good news: Most courts that have considered this issue will give full effect to any choice of law and choice of forum clauses contained in a “terms of use” agreement. Your first advice to any client considering operating a website is that they permit you to draft and implement a terms of use agreement and that their website requires each user to signal acceptance of that agreement prior to completing any transaction on the site.

But what if the client comes to you after already being sued in a foreign jurisdiction? Most courts faced with this situation have relied upon the minimal contacts requirements of basic due process set forth by the U.S. Supreme Court in International Shoe Co. v. State of Washington, the case that plagued us all as first-year law students . Under International Shoe, a three-pronged test is used to determine whether these minimal contacts exist: (1) non-resident defendants must purposefully direct their activities or consummate some transaction with the forum or resident thereof or perform some act by which they purposefully avail themselves of the privilege of conducting activities in the forum, thereby invoking the benefits and protections of its laws; (2) the claim must be one that arises out of or relates to the defendant’s forum-related activities; and (3) the exercise of jurisdiction must comport with fair play and substantial justice (i.e., it must be reasonable).

Most courts have held that the mere publishing of a website that may be viewed from a foreign jurisdiction and that may enable orders to be taken from that foreign jurisdiction does not create sufficient contacts to meet the minimal contacts test. Still, there is a minority view that such acts can subject the website owner to suit in a foreign jurisdiction. The courts use a sliding scale to determine whether minimum contacts are met in Internet cases. At the low end of the scale is the simple website that is published but not directed to residents of the state, and from which business is not solicited from residents of the state. This type of information-only site does not generally result in contact sufficient to meet the minimal contacts requirements.

At the other end of the scale are sites that actively solicit business from residents of the target state, perhaps by advertising in print publications within the state or through the airing of radio or TV commercials designed to cause the residents of the state to actively seek out the site for purposes of doing business. Sites that fall at this end of the scale will generally be found to have met the minimal requirements, and jurisdiction will be proper.

The European Privacy Laws

Europe’s privacy laws are generally much stricter than those in the United States. When your client publishes a website that may attract users from Europe, must they comply with those laws? If so, what level of protection is required?

Recognize that even in the absence of an actual commercial transaction, your client’s website may collect certain information regarding visitors to the site. For example, visitors may be asked to register an e-mail address, or an automatic process may collect information regarding the visitor’s location, computer equipment, and usage pattern (including what site they visited prior to visiting your client’s site and what site they went to when they exited your client’s site). In the United States there are few regulations other than voluntary association restrictions on what can be done with this data. However, the European Union and its member states have passed directives that deal directly with privacy issues. Among these directives are 95/46/EC, which deals primarily with transfers of data between companies, and 2002/58/EC, a measure that concerns the collection of data from individuals.

There are no reported decisions in the U.S. courts wherein a company has been held liable for violations of any European privacy directive, nor where a judgment against a company has been enforced in a U.S. court. As long as your client is truly doing business only in the United States, they would appear to be safe from enforced compliance with the European directives.

The trend in the United States, however, is to move toward stricter privacy laws, with the European model becoming the de facto standard. Your clients should thus be advised to consider voluntarily complying with the European directives if their business model permits. The most important provision to comply with concerns traffic data—the collection of information about the user done automatically when the user connects to the website (usually via a cookie). At a minimum, in order to comply with the European Union Directives, your client must take steps to make certain that the information collected becomes either anonymous or erased upon the termination of the user’s session. Your client must also have a “privacy policy” published on its site, which informs the user of the type of information collected and its intended use. Billing information may be retained only so long as the transaction may be challenged.

In 2000, the United States and the European Union entered into the Safe Harbor program. The European Union and its member states have agreed that any company participating in the Safe Harbor program will not be deemed to be in violation of the European Union’s Directives on data privacy. A company participating in the Safe Harbor program must meet certain standards—essentially those mandated by the European Union Directives. An overview of the program can be found at

Illegal Transactions

The laws of the several states are different in many respects. For example, the sale of prescription medications via the Internet is legal in the state of Ohio but generally illegal in the state of Tennessee. Must your client ensure that the customer entering into a transaction from a distant state is not doing so in violation of the laws of the customer’s home state?

The short answer is that they must. This issue most frequently arises in connection with the sale of alcohol, tobacco, or drugs via a website. For example, it is illegal to ship cigarettes via mail to any residence in New York and illegal to ship wine to many states, such as Kentucky. The “long-arm” criminal statutes of many states provide that anyone can be held criminally liable within the state so long as any element of the crime is committed within the borders of the state. Delivery of a product to an in-state resident would constitute an element of the crime, subjecting your client to such criminal liability.

Some states have gone so far as to add Internet transactions directly to their long-arm statutes. Ohio is one such state, where the statute expressly provides that:

The person, by means of a computer, computer system, computer network, telecommunication, telecommunications device, telecommunications service, or information service, causes or knowingly permits any writing, data, image, or other telecommunication to be disseminated or transmitted into this state in violation of the law of this state.

Federal law also applies to transactions of this type. For example, the Webb-Kenyon Act was passed in 1913 to prohibit the shipment of alcohol from a state where sale was legal into a state where sale was prohibited. Although the Webb-Kenyon Act was enacted long before the development of the Internet, it remains applicable in today’s e-commerce world, as demonstrated by a recent Supreme Court decision in which a prohibition on shipments of wine to residents of Michigan and New York was overturned. Although the Court overturned the state laws prohibiting shipments, both the majority and minority agreed that states may properly ban shipment of alcohol (and by analogy, any illegal product) as long as there is no discrimination between in-state and out-of-state sellers.

Ultimately, your clients are well advised to check the laws of every jurisdiction before shipping any product to that jurisdiction. Should their product be illegal, they must not accept orders from that jurisdiction.

Potholes on the Super-Highway

The Internet provides us, and our clients, with many opportunities for marketing and sales, but with those opportunities come greater risks. As attorneys we must become aware of these risks so that we may properly advise our clients.

Tim Hatton is an attorney licensed in Tennessee. He can be reached at and blogs at Molly L. Buckman is a second-year law student at the University of Dayton School of Law; she can be reached at


Back to Top